IT Job Descriptions and Salary Data Latest News

• Make sure that the application validates all input before processing it
• Use white listing rather than black listing for validation. White listing refers to the practice of validating and only accepting input that is good, as opposed to blocking input that is bad. For example, a ZIP code must always have five numbers. White listing ZIP code input means only accepting five numbers
• Encode all user-supplied data to prevent sending inserted HTML to users in a format that their browsers can interpret
• Minimize the exposed program logic
• Document all inputs that your application allows

In addition, end users can help protect themselves by disabling script, applet and plug-in execution, although they will limit functionality.

The report by Arbor Networks says that the largest sustained attacks in the last two years were 24 Gbps and 17 Gbps, a 67 per cent increase in attack scale over last year.

A total of 36 per cent of respondents suffered sustained attacks larger than 1Gbps last year and the number suffering attacks of this type doubled in 2008.

Botnets continue to be the main vehicle used to disrupt network operations - accounting for 26 per cent of attacks - followed by DNS cache poisoning.

• Think long term. Be sure to select products and services that are flexible enough to support changes in your business and computing environment. Your chosen solution should be able to maintain and enhance performance levels when you add users, data and applications.
• Consider manageability. IT organizations are demanding manageability from archives similar to what they get from other infrastructure applications. Secure role-based administration and granular provisioning and reporting are the foundations of a good archiving solution - for that look to http://www.e-janco.com/nev.htm 
  
  
• Focus on content intelligence. Not all information is created equal, organizations need to manage and retain different pieces of information based on their individual value. Certain content (such as orders and contracts) may need to be maintained for years, while other data (such as personal email and newsletters) can be eliminated more quickly.
• Optimize your total cost of ownership. While email archives often provide a quick return on investment from storage savings, a good solution also provides technical and administrative functionality that helps lower the cost of administration and overall ownership of the archive.
• Look for best-of-breed, open solutions. Your record management platform should be able to grow and integrate with other systems as your environment changes and expands.

• Defining what to backup and when along with deploying and managing backup software and systems (see http://www.e-janco.com/BackupPolicy.html )
• Media management policies for both onsite and offsite storage of backup media that often require the use of third-party transportation and vaulting companies, thereby increasing the risk of lost or misused data (see http://www.e-janco.com/Security.php )
• Monitoring success/failure rates on remote backup processes and undertaking complex data/application recovery procedures, where local IT expertise is limited or nonexistent (see http://www.e-janco.com/nev.htm )
• Supporting business continuity plans with datacenter replication, where bandwidth may be limited or cost prohibitive (see http://www.e-janco.com/DisasterPlanning.htm )

While they face many of the same issues as larger companies, midsized organizations typically have smaller security budgets, whether for hardware, software and services, or staff. Indeed, in some cases, the IT professional in charge of security in a midsized organization is also responsible for most or all other aspects of the organization's IT infrastructure and networks.

The good news is that security doesn't necessarily have to be expensive. Organizations can maintain a sound security posture by developing - and following - a comprehensive set of security policies and using comprehensive and integrated security solutions when possible. Additionally, a variety of free or low-cost security tools are available to help with everything from risk assessment to routine patching.

computing platforms on which they run. These services are then linked together through defined business processes to form composite services, applications and composite applications to perform complete business functions. This architecture also conforms to the ITIL standard.

In an open SOA framework, services can be shared and reused across several business processes. The result is a highly adaptive environment, with lower costs for application development, improved integration and quicker deployments. A single SOA-based service can, in fact, be widely reused throughout your enterprise by many business processes. And these business processes can be changed at any time to request other new and different services. Once you deploy SOA for your core business functions, the ability to dynamically add new capabilities through services can help reduce your development costs and almost eliminate traditional development cycles to more quickly deliver new customer services and open new market channels.

• Reducing call-handling time - As technology becomes more complex, walking novice customers through problem identification, recovery procedures or checking detailed settings can take time and increase customer frustration. Tools need to be implemented that ease this process.
• Increasing first-interaction closure rates - When agents are able to instantly "see" error situations without having to walk through a tedious scripts closure are speed up.
• Deflecting phone interactions - Allowing customers to communicate effectively in their channel of choice is critical to improving IT Service Management levels. As Generation X and Y age into the target demographic of more industries, understanding their channel preferences means offering more options. Remote support offers the same capabilities via Email or a Web chat/collaboration session as a phone call.

• Frequency of reports from the disaster recovery / business continuity group to senior management on the status of the Disaster Recovery and Business Continuity process
• Number of senior operating managers participating on the disaster recovery and business planning teams.
• Frequency of tests to verify implementation of the disaster recovery / business continuity plan and the quality of the reports about gaps and risks.
• Quality of the analysis of the disaster recovery business continuity handling, effectiveness, and impact on the business (after a disaster occurs).
  

As we move into troubled time most enterprises are looking for way to avoid problems like those faced by Lehman and others who fail. Budget cuts are not the only way that overall cost reduction can be achieved. Companies that slash their IT budgets to the bone risk losing long-term competitive edge, reducing IT and enterprise moral, and making it almost impossible to achieve long term productivity improvements. That does not mean enterprises should ignore the slowing economy and go ahead and sign that contract for new systems and/or new technology.

Good investments in key areas can yield the near-term revenue and efficiency. Examples are: managing sales and pricing, optimizing production and distribution channels, enhancing support processes, optimizing overhead and performance management.

21% of banking institutions have either suffered a security breach during the past two years, or donÂ’t if they have. Another 35% have been victims of a phishing attack during the past year. The rampancy of these destructive practices gave rise in years past to a clamor for government regulation of electronic commerce, but the credit card companies that generally had to foot the bill for all the online carelessness felt they could not afford to wait. They knew that SSL Certificates provided the necessary protection for sensitive information and that they can be easily implemented by e-commerce companies and other institutions that transmit and receive credit card information over the Internet. They also knew that without pressure to act, many of these companies would be slow to adopt the technology.

In 2008 alone, at least nine states have considered digital download taxes, and at least five of those states have enacted them into law. Nebraska's governor signed a digital download tax bill into law in April, and a similar measure was adopted in Tennessee in June. As CNET News reported a few months ago, Indiana, South Dakota, and Utah also enacted digital download taxes this year.

The push stems from an odd legal quirk: because most states' tax laws were written long before the Internet existed, they may accidentally immunize downloads from taxation. This is the case even in otherwise high-tax states like California, where physical CDs are taxed heavily but iTunes downloads remain tax-free for now.

Jobs argued. "Hopefully we never have to pull that lever, but we would be irresponsible not to have a lever like that to pull."

• Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
• Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components.
• Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
• Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
• Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
• Plan testing, training and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
• Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

Regulations like Sarbanes-Oxley, which affect publicly-held companies, get most of the press. But there are plenty of regulations with security implications that hover over smaller businesses, including HIPAA (Health Insurance Portability and Accountability Act), CaliforniaÂ’s SB1386databreachdisclosure law, and the Gramm-Leach-Bliley Act, which covers those who prepare income tax returns, debt collectors, consumer credit counseling and reporting agencies, and real estate transaction settlement services. All of these - and others - carry the force of law, and failure to comply can result in fines and even criminal charges as well as civil lawsuits. In addition, other standards that do not have the force of law - notably PCI DSS (Payment Card Industry Data Security Standard), which covers credit card transactions and is legally mandated in at least Minnesota - can impose fines or the loss of essential privileges on violators.

Someone should have explained this problem to the New York City Police department and the Bronx County District Attorney, both of whom used an e-mail sent by one party to a second party, following an error by that second party, in order to prosecute a third party for sending it. In fact, in this case the header may have been accurate and the problem simple laziness in examining it.

Bronx resident William Hallowell was arrested on complaint of his supervisor, Robin Berson. Ms Berson had attempted to send an e-mail to Mr. Hallowell, but typed in the wrong address and sent it to a Ben Hallowell. Ben Hallowell's response made reference to illegal activities and hit on Ms. Berson in a crude way. Still not realizing what she had done she finked on William Hallowell to the Police who, despite a shocking absence of evidence against him, arrested him and held him for more than 30 hours. Prosecutors then took 4 months to dismiss the case. All these claims are as made in Hallowell's civil rights suit filed recently against police and prosecutors.

Both AMD and Intel use some form of on-chip processing to shut down idle cores, allowing energy to be diverted elsewhere. Intel's platform provides for individual control of processors - ostensibly to preserve laptop battery life  - and it is tying it to a server power management system that allows admins to direct power within individual server racks. But according to some critics, enterprises shouldn't expect much from the on-chip power-saving tools, particularly those that seek to manage idle cores.

• An organization must know at the beginning of a case what relevant ESI exists, where it is, and how hard it is to access.
• An organization must quickly produce all relevant electronic information from active systems.
• The opposing litigants want to track changes to documents and view metadata, and the organization has to help them.
• An organization can destroy ESI as part of a routine, pre-arranged process until there is reason to believe that organization

LimitNone filed a complaint in an Illinois circuit court alleging that Google at first began promoting the smaller firm's tool for migrating Microsoft Outlook customers to Gmail, then copied the idea and went into competition with it.

The lawsuit was brought by the commercial litigation firm of Kelley Drye & Warren LLP - by the same team who previously faced off with Google in a trademark case involving the Silicon Valley company's highly successful online advertising system.

The latest suit takes aim at the company's fast-growing Google Apps software application business, which includes Gmail for business users. Google is seeking to woo customers away from relying on rival Microsoft software.

The complaint accuses the Web leader of engaging in deceptive business practices that chill competition. It seeks reimbursement from Google of actual damages, attorneys' fees and calls on the court to award punitive damages to LimitNone.

Data breaches and network intrusions occur because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches do not expose such sensitive information; however, they still expose individuals to identity theft and business to a compromise of their electronic assets and that must be disclosed under Sarbanes-Oxley and various state laws.

According to Verizon, nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place.

The Verizon "2008 Data Breach Investigations Report" spans four years and more than 500 forensic investigations involving 230 million records, and analyzes hundreds of corporate breaches including three of the five largest ones ever reported.

They found that 73 percent of breaches resulted from external sources versus 18 percent from insider threats, and most breaches resulted from a combination of events rather than a single hack or intrusion.

Key Findings Are:

• Most data breaches investigated were caused by external sources. Thirty-nine percent of breaches were attributed to business partners, a number that rose five-fold during the course of the period studied.
• Most breaches resulted from a combination of events rather than a single action. Sixty-two percent of breaches were attributed to significant internal errors that either directly or indirectly contributed to a breach. For breaches that were deliberate, 59 percent were the result of hacking and intrusions.
• Of those breaches caused by hacking, 39 percent were aimed at the application or software layer. Attacks to the application, software and services layer were much more commonplace than operating system platform exploits, which made up 23 percent.
• Fewer than 25 percent of attacks took advantage of a known or unknown vulnerability. Significantly, 90 percent of known vulnerabilities exploited had patches available for at least six months prior to the breach.
• Nine of 10 breaches involved some type of "unknown" including unknown systems, data, network connections and/or account user privileges. Additionally, 75 percent of breaches are discovered by a third party rather than the victimized organization and go undetected for a lengthy period.
• In the modern organization, data is everywhere and keeping track of it is an extremely complex challenge. The fundamental principle, however, is quite simple – if you don't know where data is, you certainly can't protect it.